How Not to Fight Terror

Box cutters, some flight training and a lot of determination.
Although it now seems clear that the hijackers of September
11 had the support of an international terror organization,
the real lesson is that it is frighteningly easy for
a small number of intelligent people, acting together,
to do a tremendous amount of damage.

Box cutters, some flight training and a lot of determination.
Although it now seems clear that the hijackers of September
11 had the support of an international terror organization,
the real lesson is that it is frighteningly easy for
a small number of intelligent people, acting together,
to do a tremendous amount of damage.


Technologists routinely underestimate the power of
low-tech attacks. After all, it’s much more interesting
(and lucrative) to work on the Bush administration’s
national missile defense project than to think up practical
strategies for protecting office buildings from fire,
truck bombs and suicide pilots.


But even more disturbing than our failure to plan for
the terrorist attack is the nature of our antiterrorist
planning in the days that followed. Two days after the
attacks, New Hampshire senator Judd Gregg called for
a global ban on ‘uncrackable’ encryption systems.
Within a week, Attorney General John Ashcroft started
arguing for a dramatic expansion in the FBI’s authority
to wiretap telephones; his proposed law would make such
taps much easier to obtain. Meanwhile, there are calls
to expand the use of the FBI’s e-mail interception
system, known as Carnivore, and the National Security
Agency’s Echelon surveillance system (see ‘Will
Spyware Work?
‘)
. Even a national identification
card with ATM-like verification stations might be in
the works.


Ashcroft and Bush want Congress to act fast; by the
time you read this, their legislative agenda will be
law. But even after Congress does as it is told, and
even if the Supreme Court upholds the new laws as constitutional,
America won’t be a fundamentally safer place.


Let’s look first at wiretapping, a tremendously
powerful crime-fighting technology. With fewer than
2,000 authorized in the United States each year, wiretaps
are so rare that crooks almost never expect them; it’s
not uncommon to hear perpetrators joking on intercept
tapes that they should be careful with what they say
because the cops are probably listening in. And the
government has already taken significant steps to make
wiretapping more effective. In 1994, Congress passed
legislation that opened the world of digital telephony
to the G-man’s alligator clips. The law requires
that every telephone switch sold in the United States
be wiretap ready. It forces cell-phone companies to
deploy equipment that exists solely for the purpose
of intercepting phone conversations and sending an audio
copy to the feds.


The wiretap laws still need some work. Back in 1995,
for example, nobody imagined that drugstores would one
day be selling disposable cell phones: it simply doesn’t
make sense to force the FBI to get a different wiretap
order for every phone number that it wishes to bug.
That’s why the law was amended again to allow the
use of ‘roving wiretaps.’ According to the
U.S. government’s own Wiretap Report, roving wiretaps
were approved for seven federal investigations and 20
state investigations in 2000. (More than half of those
cases were drug investigations; none of them were for
terrorism.)


But even with such authority, and even if Ashcroft’s
expanded wiretap provisions had been in place in August
2001, it is doubtful that the September 11 attacks would
have been anticipated, let alone prevented. And if we
require the FBI to wiretap every phone call of every
foreigner in the United States, it’s doubtful that
the agency will have the resources to even listen to
all the tapes, let alone make sense of the often guarded
language of people plotting crimes.


Nor is limiting the use of encryption the way to go.
Listening to Senator Gregg’s scary talk about terrorists
using unbreakable encryption systems, it is hard to
imagine any American contesting restrictions on such
an inherently dangerous technology. Gregg and the FBI
have long opposed strong encryption on the grounds it
limits the ability to conduct searches and execute wiretaps.
That’s because in recent years, cops have been
increasingly frustrated by encrypted files on seized
computers in cases involving financial crimes, child
pornography and drug dealing. To the FBI’s vaunted
Carnivore system, encrypted e-mail is, as they say,
a cipher. And voice encryption can render a telephone
wiretap useless.


But despite reports that Osama bin Laden is a big fan
of encryption, a ban on tough encryption systems wouldn’t
have prevented the terrorist attacks of September 11.
For starters, all the terrorists had to do to scramble
their conversations was speak quickly in Dari or Pashto––two
Afghan languages for which we have few translators available.
This is not a new trick: in World War II, the U.S. military
used Navajo ‘code talkers’ speaking in their
native language to create an unbreakable communications
system.


Even if we could persuade our enemies to speak in English,
there is nothing to prevent them from using strong encryption.
After all, software that makes unbreakable codes has
been available worldwide for more than a decade. Laws
banning crypto will have no more effect than laws against
flying fully fueled Boeing 767s into 100-story skyscrapers.


On the other hand, laws mandating the use of weakened
encryption or ‘key escrow’ could have a devastating
impact on business and e-commerce. What Gregg and others
fail to realize is that the vast majority of cryptography
users today are not terrorists and drug dealers but
U.S. businesses. Many banks and brokerage firms, for
example, demand that their customers use an ‘unbreakable’
encryption scheme based on a digital key 128 bits long
when accessing electronic banking systems. Encryption
likewise protects credit card numbers used to make purchases
over the Internet. And a growing number of U.S. companies
operating overseas use encryption to give branch offices
secure links to the home office’s computers. Over
the last 10 years, corporations have experimented with
weaker forms of encryption that include ‘back doors’
for law enforcement. Their almost universal conclusion:
the technology is too complex to deploy, and it creates
risks and vulnerabilities that are unacceptable to many
users.


The third infotech weapon commonly called upon to fight
terrorists is a national ID card. But the United States
already has a de facto national identity card: it’s
called a driver’s license. Over the past 10 years,
driver’s licenses have been standardized, they
have been equipped with bar codes and magnetic strips,
and states have created databases of digitized driver’s-license
photographs. Indeed, a driver’s license is the
most readily accepted identification for anyone flying
on an airplane, opening a bank account or obtaining
most social services.


Adding biometric identifiers like fingerprints or face
prints to the driver’s license and requiring that
it be carried at all times would not have prevented
the September 11 attacks. Don’t forget, Mohamed
Atta and at least several other hijackers had valid
driver’s licenses. And while many of the attackers
were using stolen identities, those identities were
stolen overseas. If the United States had a biometrically
enabled national identity card, the hijackers would
have been issued those cards when they legally entered
our country––under whatever names they had already
stolen.


If we really want to ban technologies that have been
used by international terrorists, we should start with
box cutters: they are small, hard to detect and have
a proven track record. Ceramic knives are equally stealthy
and dangerous: better ban them too. While we’re
at it, we might as well ban commercial airliners: let’s
see those terrorists try to hijack a train!


Banning additional carry-on items is not the way to
go. Instead of loading the plane with five terrorists,
next time the enemy might use 20. A contingent that
large could take over the passenger cabin without any
weapons whatsoever. That’s why aviation experts
are sensibly calling for stronger doors separating pilots
from passenger cabins.


Meanwhile, we need to harden the rest of our society,
because the next assault will almost certainly not involve
the hijacking of a civilian airliner. Two weeks after
the attacks in New York, the sight of small planes flying
low over Massachusetts’s Quabbin Reservoir, which
supplies Boston’s water, prompted fears that the
reservoir might be poisoned. The Massachusetts Water
Resources Authority dismissed such fears as baseless,
saying that it performs 100 safety tests on the reservoir
every week, and that in any event, Quabbin is too big
to poison. This made me feel somewhat safe––until
I learned that these weekly checks don’t include
tests for radioactivity.


We have the capacity to turn the United States into
a surveillance society the likes of which the world
has never seen. We could also significantly reduce the
chances of a successful terrorist action in the future––a
quite separate pursuit. It looks like Bush and Ashcroft
are using September 11 as an excuse to clamp down on
civil liberties, not as a wake-up call for solving these
hard problems.

Author: Simson Garfinkel

News Service: Technology Review

URL: http://www.techreview.com/magazine/dec01/garfinkel.asp